Too many problems, not enough time.

VMware + Heartbleed = Sad Panda

+ =

Despite all the noise going on around Heartbleed you’d be forgiven for not realising that VMware is also not immune to this issue. When the TLS heartbeat vulnerability was announced on the 7th April attention was all focused on the big cloud players… Amazon, Google, Twitter, Facebook, etc. Companies like VMware seemed to avoid a lot of attention, at least initially.

I’ve started to read a few posts out there saying that VMware have been a little slow to respond and patch, but I disagree. Unlike some of the companies mentioned above VMware didn’t have a head start in assessing and patching the bug before the announcement of the vulnerability.

VMware first posted a KB article in response to the OpenSSL security issue on the 9th. Looking at the update history of the article VMware posted updates each day thereafter till a patch was release on the 20th April. Two weeks may seem like a long time to wait for the patch but when you put it into perspective. There is still a hell of a lot of companies that haven’t released a patch, and worse yet, many that probably will never release a patch.

There’s no doubt that this is a serious issue specifically for VMware. All their flagship products appear to be effected by Heartbleed, namely vCenter and ESXi 5.5. Hopefully as sys admins we have been following best practices with a separate and isolated management network for these products.

The security advisory link below contains a list of all vulnerable VMware products and likes to downloading the latest patches versions.